CVE-2026-42272

EPSS 0.4%
Veröffentlicht 08.05.2026 03:40:17
Zuletzt bearbeitet 08.05.2026 16:03:26
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation

Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 7

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerdadrus

≫

Produkt heimdall

Version < 0.17.14

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.4%	0.312

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.8	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-178 Improper Handling of Case Sensitivity

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

CWE-436 Interpretation Conflict

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

https://github.com/dadrus/heimdall/security/advisories/GHSA-43jv-5j4x-qv67

https://github.com/dadrus/heimdall/pull/3207

https://github.com/dadrus/heimdall/commit/8b0de6aba23a047cfee3081df878271bb17f4351

https://github.com/dadrus/heimdall/releases/tag/v0.17.14

https://nvd.nist.gov/vuln/detail/CVE-2026-42272

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42272

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42272

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42272